Despite the security risks
involved with wireless
networks, which are well-documented
and addressed in more
than a few articles, the benefits of wireless networking are numerous and
hard to ignore. Many organizations have already implemented a wireless network
to support their internal user base.

In addition, many others are in the process of planning such
a deployment. If your organization falls into this category, it’s vital that
you take steps to lock down wireless security.

In fact, before you take another wireless step, you need to create
a wireless LAN security policy. If you already have a policy, make sure it’s up
to date. (Do you already have a wireless network but no policy? Better late
than never—start creating one today.)

Which areas should your wireless LAN security policy
address? At the minimum, it should focus on seven key areas that establish the
basis for deployment, use, and management of your wireless network. Let’s take
a closer look at each key area.

Define your user base

Clearly identify who can use the WLAN and what level of
access those users have to both your intranet and the Internet. WLANs typically
offer unrestricted access to the entire network and Internet access. However, that
doesn’t mean it’s a good idea to leave it like this.

Instead, consider specifying that the WLAN is specifically
for guests (i.e., non-company users), and prohibit employees from using it. Some
companies block their wireless subnets from either their intranet or the
Intranet.

Regardless of how you choose to allow access, it’s essential
that you determine the scope of access. More important, clearly define this in your
policy and implementation.

Identify appropriate usage

After identifying the wireless network user community,
identify the type of information that users can and cannot send over the wireless
network. For example, you might want to prohibit sending personal or financial
records via the WLAN.

In addition, it’s a good idea to prohibit ad hoc connections
(i.e., peer-to-peer). You don’t want a smart user extending your network to
users who don’t have authorization to use WLAN access.

Prepare for secure installation

Spell out specifically which internal department is
responsible for deploying wireless access points (WAPs) and other wireless
devices within your network. Otherwise, you run the risk that wannabe
administrators will install a WAP in their office space, which may not be appropriately
secure.

Define minimum physical security standards for WAP
locations, and determine who will have physical access to the WAPs. Ideally, try
to place your WAPs in controlled access rooms on the interior walls of the building.
Adjust their coverage zone to the limits of your physical boundary—and not one
foot beyond.

Determine effective security settings

Define the minimum security measures enabled on all WAPs. Disable
the service set identifier (SSID) broadcast feature, and change the default SSID
to something that does not reveal your company’s name or business market.
Otherwise, you’re just asking someone to hack into your network.

Enable wireless encryption, and mandate the use of Wi-Fi
Protected Access-Temporal Key Integrity Protocol (WPA-TKIP) or WPA Advanced
Encryption Standard (WPA-AES), also known as WPA2. Both of these encryption
schemes employ a strong cipher model. However, AES, which uses the Rijindal
cipher, is stronger and currently recognized as a security standard for use on
classified data systems.

Outline a contingency plan for loss of equipment and data

Soon after you start deploying your wireless network, you
can pretty much bank on someone losing a wireless device or other hardware somehow
finding its way out the door. When the inevitable losses occur, you must immediately
change all the security settings within your wireless network (e.g., SSIDs and
encryption keys), and your policy should stipulate this. Treat any loss as a
compromise of the system, and identify specific steps to take to mitigate
further damage.

Plan appropriate training of both staff and users

Address training issues for the entire IT department as well
as users to prepare everyone for the deployment, use, management, security, and
incident response of your new WLAN. Many organizations often overlook this step
during a new deployment, which is why it’s vital that your policy address it.

Keep in mind that WLANs are completely different than
conventional wired LANs. Outline a minimum training requirement, and develop a
knowledge base for WLAN use from current successful implementations.

Establish guidelines for management and monitoring

Once you’ve successfully deployed a wireless network and
locked it down, there’s no guarantee it will stay that way. Your policy should define
the frequency and scale of security assessments (including rogue access point
discovery), which should take place on a regular basis to ensure continued
security.

Final thoughts

Every new deployment in your organization should have a
policy foundation. If you don’t have a WLAN, chances are good that you’ll be
running one in the near future. Before you deploy a WLAN, take the appropriate
steps to set up some guidelines, and you’ll prove that having even a bad policy
is better than having no policy at all.

Miss a column?

Check out the Security Solutions Archive,
and catch up on the most recent editions of Mike Mullins’ column.

Worried about security issues? Who isn’t? Automatically
sign up for our free Security Solutions newsletter, delivered each Friday,
and get hands-on advice for locking down your systems.

Mike Mullins has served as an assistant
network administrator and a network security administrator for the U.S. Secret
Service and the Defense Information Systems Agency. He is currently the
director of operations for the Southern Theater Network Operations and Security
Center.